AWS Config to monitor compliance

AWS Config is a service which helps to keep track on resources deployed and associated along with an AWS account.

It monitors on configurations based on rules, their relationships to other entities and resources and how those – if – over time.

The Dashboard itself provides a timeline which represents which changes got tracked over time and when a resource either became compliant or noncompliant.

Configuring AWS Config

Resource types to record

Select “All resource” to be able to get any changes tracked

S3 bucket

S3 bucket to store configuration history

In my case I had a bucket available already. Otherwise AWS Config can get created one. The syntax will be “config-bucket-<account-id>/<prefix>/AWSLogs”

SNS topic

A SNS topic – default name will be “config-topic”

An added SNS topic will help to get other resources notified on changes. The SNS topic also can be used to get automations created to let automated remediations solve a noncompliant status or invoke something else in case a compliance state would be triggered. For the sake of convenience the SNS topic created in this example will have an email subscription.


AWS Config role selection

As with any resource at AWS that is configured to execute on-behalf it needs to be allowed by a role. AWS Config provides an existing service-linked role which adds some convenience.

Creating rules

Rules will provide the actual monitoring rule that is going to be executed to track a noncompliant or compliant status.

In this case 2 pre-configured rules will be added to the configuration:

  • ebs-optimized-instance
    This rule monitors if EC2 instances in the AWS account have been configured with an EBS optimized instance option. Though AWS seem to more and more get instances provided where EBS optimization is just enabled and turning on/off no longer makes a difference.
  • ec2-instance-detailed-monitoring-enabled
    This (as well) pre-configured AWS Config rule monitors if a given EC2 instance has the option for detailed monitoring enabled. It might be desired to have detailed monitoring enabled so an automated remediation could be implemented to let AWS Config take a correction action in case of a noncompliant finding. (please watch out costs for monitoring otherwise as well)

AWS Config Timeline

Once everything is configured and first iterations for compliance tracking are executed by the AWS Config service a Timeline can be opened up to visualize the configuration status on a given resource over time.

The timeline as well can be drilled into to see what changes occurred during a compliance or noncompliance finding.

Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: